E OHS Module Directives

This appendix describes the directives available in the Oracle-developed modules supported by OHS. It contains these sections:

• Section E.1, "mod_certheaders"

• Section E.2, "mod_onsint"

• Section E.3, "mod_oradav"

• Section E.4, "mod_ossl"

• Section E.5, "mod_osso"

• Section E.6, "mod_plsql"

• Section E.7, "mod_wl_ohs"

Note:

The directives described in this appendix are only for modules developed by Oracle. OHS also includes many Apache HTTP Server and third-party modules out-of-the-box. See "Apache HTTP Server and Third-party Modules in Oracle HTTP Server" in Chapter 3 for a list of these modules and a link to their documentation.

E.1 mod_certheaders

mod_certheaders accepts the following directives:

• AddCertHeader

• SimulateHttps

E.1.1 AddCertHeader

Specifies which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable. AddCertHeader is generally used for Web Cache in front of OHS.

Category	Value
Syntax	AddCertHeader environment_variable
Example	AddCertHeader SSL_CLIENT_CERT
Default	None

Note:

If a simulated SSL connection needs to be passed to WebLogic Server, AddCertHeader can be used with mod_wl_ohs as well. That module's directive, WLProxySSLPassThrough, ensures that the certificate is passed to the backend (irrespective of the real or simulated SSL connection).

E.1.2 SimulateHttps

mod_certheaders can be used to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS. and SimulateHttps is used for load balancer type of devices.

Category	Value
Syntax	SimulateHttps on|off
Example	SimulateHttps on
Default	off

E.2 mod_onsint

mod_certheaders accepts the OpmnHostPort directive.

E.2.1 OpmnHostPort

This directive enables you to specify a hostname and port that OPMN should use for pinging the Oracle HTTP Server instance that mod_onsint is running in. If OpmnHostPort is not specified, mod_onsint chooses an HTTP port automatically. However, in certain circumstances, you may want to choose a specific HTTP port and hostname that OPMN should use to ping the listener with.

Category	Value
Syntax	OpmnHostPort host:Port
Example	OpmnHostPort localhost:7778
Default	None

E.3 mod_oradav

mod_oradav accepts the following directives:

• ORAAllowIndexDetails

• ORAAltPassword

• ORACacheDirectory

• ORACacheMaxResourceSize

• ORACachePrunePercent

• ORACacheTotalSize

• ORAConnect

• ORAConnectSN

• ORAContainerName

• ORAException

• ORAGetSource

• ORALockExpirationPad

• ORAPackageName

• ORAPassword

• ORARootPrefix

• ORAService

• ORATraceEvents

• ORATraceLevel

• ORAUser

E.3.1 ORAAllowIndexDetails

In an Oracle HTTP Server environment that is not OraDAV-enabled, mod_dav does not respond to HTTP GET requests. Instead, normal Oracle HTTP Server mechanisms are used to respond to GET requests.

The ORAAllowIndexDetails parameter controls how OraDAV responds when a GET request is performed on a DAV collection and no index.html file is found in the directory. In a typical Oracle HTTP Server environment, a separate module takes control, automatically generating and returning to the client HTML that represents an "index" of the resources (files) in that collection.

Category	Value
Syntax	ORAAllowIndexDetails true | false
Example	ORAAllowIndexDetails true
Default	false

E.3.2 ORAAltPassword

Specifies the password for the user specified by the ORAUser parameter. The OraAltPassword uses a base-64 encoded character string. This parameter provides an alternative if you do not want the password to appear in unencoded plain text with the ORAUser parameter. If the ORAPassword parameter is not specified, this value is used for the password.

Category	Value
Syntax	ORAAltPassword password
Example	ORAAltPassword myPassword
Default	None

E.3.3 ORACacheDirectory

Specifies the directory to use for disk caching operations, per these requirements:

• The specified directory must exist and be readable by Oracle HTTP Server, but cannot be visible to normal GET requests. If the directory is visible to normal GET requests, security measures could be bypassed by users accessing the cache directory.

• The directory should be located on a file system that supports a last accessed time. On Microsoft Windows systems, this means using NTFS, not FAT, formatted partitions.

• You cannot use the cache directory for anything other than caching. Any files in the cache directory are subject to deletion.

If you use the ORACacheDirectory parameter, you must also use the ORACacheTotalSize parameter.

Category	Value
Syntax	ORACacheDirectory directoryName
Example	ORACacheDirectory
Default	If not used, disk caching is not performed for OraDAV operations

See Also:

Section 9.4.1, "Using Disk Caching with OraDAV"

E.3.4 ORACacheMaxResourceSize

Specifies the maximum cacheable resource size for disk caching operations. You can specify kilobytes (KB) or megabytes (MB) after an integer. If you do not specify a unit after the integer, then the default unit is bytes.

This parameter enables Web administrators to prevent large media files from dominating the cache. The performance benefit of caching a large file is greater than from caching a small file.

Category	Value
Syntax	ORACacheMaxResourceSize nnKB|MB
Example	ORACacheMaxResourceSize 1024KB
Default	None

See Also:

Section 9.4.1, "Using Disk Caching with OraDAV"

E.3.5 ORACachePrunePercent

Specifies the percentage of disk cache usage to be freed when the cache is full. When the disk cache is full, the oldest files in the cache are deleted until the cache disk usage is reduced by the ORACachePrunePercent value.

Category	Value
Syntax	ORACachePrunePercent nn
Example	ORACachePrunePercent 40
Default	25

See Also:

Section 9.4.1, "Using Disk Caching with OraDAV"

E.3.6 ORACacheTotalSize

Specifies the size of the cache to use for disk caching operations. You can specify MB (for megabytes) or GB (for gigabytes) after an integer. If you do not specify a unit after the integer, the default unit is bytes.

If you use the ORACacheDirectory parameter, you must also use the ORACacheTotalSize parameter.

The ORACacheTotalSize value should be large enough to hold either a significant amount of your Web site, or all of the most frequently accessed files plus 25 percent more space. If the value is too small, overall performance degrades because of the extra work of writing BLOB data to the file system and deleting files to make room for newer cache requests.

The actual space utilized by the disk cache might sometimes exceed the ORACacheTotalSize value, possibly by as much as the ORACacheMaxResourceSize value. You should also be aware of file system block size issues that could cause the cache to use more disk space than the ORACacheTotalSize value.

Category	Value
Syntax	DAVParam ORACacheTotalSize nnMB|GB
Example	DAVParam ORACacheTotalSize 1GB
Default	None

See Also:

Section 9.4.1, "Using Disk Caching with OraDAV"

E.3.7 ORAConnect

Specifies the Oracle database to connect to. The ORAConnect parameter lets you connect to a database that is not included in the tnsnames.ora file. The value must use the following format:

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database included in the tnsnames.ora file, use the ORAService parameter.

Category	Value
Syntax	ORAConnect database_host:database_port:database_sid
Example	ORAConnect my-pc.example.com:1521:mysid
Default	None

E.3.8 ORAConnectSN

Specifies the Oracle database to connect to. The ORAConnectSN parameter lets you connect to a database that is not included in the tnsnames.ora file. The value for this parameter is a character string.The value must use the following format:

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, or ORAService. To connect to a database included in the tnsnames.ora file, use the ORAService parameter.

Category	Value
Syntax	ORAConnectSN database-host:database-port:database-service-name
Example	ORAConnectSN my-pc.example.com:1521:mysid
Default	None

E.3.9 ORAContainerName

Within the database user (schema) specified by the ORAUser parameter, there must exist a container, which is a set of PL/SQ packages and database tables that allow the storage of files in the database within a hierarchical structure. The ORAContainerName parameter specifies the name of the container to use for the location. The value for this parameter is a character string, up to 20 characters. For example, <Location/project1>.

Category	Value
Syntax	ORAContainerName Location/project1
Example	ORAContainerName
Default	None

E.3.10 ORAException

Writes PL/SQL stack dumps in the Oracle HTTP Server log file, error_log, in the event of an exception in the PL/SQL package.

Category	Value
Syntax	ORAException RAISE|NORAISE
Example	ORAException RAISE
Default	NORAISE

Note:

Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.11 ORAGetSource

Specifies one or more file extensions to identify types of files that are not to be run, but rather opened for editing. This allows you to open files for editing that are usually run as a result of a GET operation. When entering filetypes, include dot separators (.) and use a comma to separate file extensions. The value for this parameter is enclosed within double quotation marks. For example:

".htm, .html, .jsp1, .jsp2"

This directive applies only to file system access.

Category	Value
Syntax	ORAGetSource ".type[, .type, .type, .type]"
Example	ORAGetSource ".htm, .html, .jsp1, .jsp2"
Default	.JSP .SQLJSP

Note:

The .jsp and .sqljsp files are by default opened for editing; you do not need to specify them in the ORAGetSource parameter.

E.3.12 ORALockExpirationPad

Intended to be used in high-latency network environments to adjust the refresh lock behavior in Microsoft Office. Microsoft Office attempts to refresh locks on DAV resources just before the lock is set to expire. If the Microsoft Office client and the DAV server experience network congestion between the refresh, the request might arrive after the lock has expired.

OraDAV periodically looks for locks on resources that have expired and deletes those locks. The ORALockExpirationPad parameter can be used to provide some additional time between when a lock expires and when that lock is deleted. For example, if ORALockExpirationPad is set to 120, OraDAV does not actually delete locks for at least two minutes after the expiration time.

Category	Value
Syntax	ORALockExpirationPad nn
Example	ORALockExpirationPad 90
Default	0

E.3.13 ORAPackageName

Identifies the OraDAV driver implementation that is to be called when issuing OraDAV commands. The default is the OraDAV driver, which is the ORDSYS.DAV_API_DRIVER package.

Category	Value
Syntax	ORAPackageName name
Example	ORAPackageName
Default	The OraDAV driver

E.3.14 ORAPassword

Specifies the password for the user specified by the ORAUser parameter.

If you do not want to specify the password as an unencoded text string with the ORAPassword parameter, you can specify the password as a base-64 encoded string with the ORAAltPassword parameter.

Category	Value
Syntax	ORAPassword password
Example	ORAPassword myPassword
Default	None

E.3.15 ORARootPrefix

Specifies the directory within the database repository to use as the root. If this parameter is specified, WebDAV clients see this directory as the root and are not able to see the repository directories that lead up to it. Do not include a trailing slash (/) in the value.

WebDAV clients can view the /third directory and can navigate to the /third/fourth directory, but will not be able to view or navigate to the /first or /first/second directories.

Category	Value
Syntax	ORARootPrefix /dirName1[/dirName1/dirName1/dirName1]
Example	ORARootPrefix /first/second
Default	None

E.3.16 ORAService

Specifies the Oracle database to connect to. The specified value must match a SID value in the tnsnames.ora file.

To connect to an Oracle database, you must specify one, and no more than one, of the parameters ORAConnect, ORAConnectSN, or ORAService. To connect to a database that is not included in the tnsnames.ora file, use the ORAConnect or ORAConnectSN parameter.

Category	Value
Syntax	ORAService databaseName
Example	ORAService
Default	None

E.3.17 ORATraceEvents

Specifies the types of events to be recorded in the Oracle HTTP Server error log for debugging. The value for this parameter is one of the following:

• getsource: traces GET activity against the file system

• hreftoutf8: traces the HREF conversion from the native character set to UTF-8

• request: traces DAV requests, responses, and status values handled by mod_oradav

Category	Value
Syntax	ORATraceEvents getsource | hreftoutf8 | request
Example	ORATraceEvents getsource
Default	None

Note:

Although this parameter is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.18 ORATraceLevel

Specifies the level of debugging (trace statements) that will be entered in the Oracle HTTP Server error log. The lowest level is 0 (the default), which performs no tracing. The highest level is 4, which performs maximum tracing. The value for this parameter is an integer between 0 and 4.

The higher the number for the debugging level, the more information is written to the error log file.

Category	Value
Syntax	ORATraceLevel 0 | 1 | 2 | 3 | 4
Example	ORATraceLevel 2
Default	0

Note:

Although setting this parameter to a high number is useful for debugging purposes, it can use a large amount of disk space and can slow the performance of your system.

E.3.19 ORAUser

Specifies the database user (schema) to use when connecting to the service specified by the ORAConnect, ORAConnectSN, or ORAService parameter.

This user must have the following privileges:

• CONNECT

• RESOURCE

• CREATE TABLESPACE

• DROP TABLESPACE

• CREATE ANY TRIGGER

Category	Value
Syntax	ORAUser
Example	ORAUser
Default	None

E.4 mod_ossl

To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the ssl.conf file.

The following directives are described in subsequent sections:

• SSLAccelerator

• SSLCARevocationFile

• SSLCARevocationPath

• SSLCipherSuite

• SSLEngine

• SSLFIPS

• SSLLog

• SSLLogLevel

• SSLMutex

• SSLOptions

• SSLPassPhraseDialog

• SSLProtocol

• SSLProxyCipherSuite

• SSLProxyEngine

• SSLProxyProtocol

• SSLProxyWallet

• SSLRequire

• SSLRequireSSL

• SSLSessionCache

• SSLSessionCacheTimeout

• SSLVerifyClient

• SSLWallet

• SSLWalletPassword

E.4.1 SSLAccelerator

Specifies if SSL accelerator is used. Currently only nFast card is supported.

Category	Value
Syntax	SSLAccelerator yes|no
Example	SSLAccelerator yes
Default	SSLAccelerator no

Note:

The SSLAccelerator directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation.

E.4.2 SSLCARevocationFile

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category	Value
Syntax	SSLCARevocationFile file_name
Example	SSLCARevocationFile /ORACLE_HOME/Apache/Apache/conf/ssl.crl/ca_bundle.crl
Default	None

E.4.3 SSLCARevocationPath

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Category	Value
Syntax	SSLCARevocationPath path/to/CRL_directory/
Example	SSLCARevocationPath /ORACLE_HOME/Apache/Apache/conf/ssl.crl/
Default	None

E.4.4 SSLCipherSuite

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table E-1 displays the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:

• none: Adds the cipher to the list

• + : Adds the cipher to the list and place it in the correct location in the list

• - : Remove the cipher from the list (can be added later)

• ! : Remove the cipher from the list permanently

Tags are joined together with prefixes to form a cipher specification string. Cipher suite tags are listed in Table E-1. Available ciphers are described in Table E-2.

Category	Value
Example	SSLCipherSuite ALL:!LOW:!DH In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.
Syntax	SSLCipherSuite cipher-spec
Default	ALL:!ADH:+HIGH:+MEDIUM:+LOW
Context	server configuration, virtual host, directory

Table E-1 SSLCipher Suite Tags

Function	Tag	Meaning
Key exchange	kRSA	RSA key exchange
Key exchange	kDHr	Diffie-Hellman key exchange with RSA key
Authentication	aNULL	No authentication
Authentication	aRSA	RSA authentication
Authentication	aDH	Diffie-Hellman authentication
Encryption	eNULL	No encryption
Encryption	DES	DES encoding
Encryption	3DES	Triple DES encoding
Encryption	RC4	RC4 encoding
Data Integrity	MD5	MD5 hash function
Data Integrity	SHA	SHA hash function
Data Integrity	SHA256	SHA256 hash function
Data Integrity	SHA384	SHA384 hash function
Aliases	TLSv1	All TLS version 1 ciphers
Aliases	TLSv1.1	All TLS version 1.1 ciphers
Aliases	TLSv1.2	All TLS version 1.2 ciphers
Aliases	LOW	All low strength ciphers (export and single DES)
Aliases	MEDIUM	All ciphers with 128-bit encryption
Aliases	HIGH	All ciphers using triple DES
Aliases	AES	All ciphers using AES encryption
Aliases	RSA	All ciphers using RSA key exchange
Aliases	DH	All ciphers using Diffie-Hellman key exchange

Note:

All Export, anon, 40-bit, 50-bit, and 56-bit weak ciphers have been disabled in the Oracle HTTP Server 11.1.1.9.0 release

Table E-2 Cipher Suites Supported in Oracle Advanced Security

Cipher Suite	Authentication	Encryption	Data Integrity	TLSv1	TLSv1.1	TLSv1.2
SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 (128)	MD5	Yes	Yes	Yes
SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 (128)	SHA	Yes	Yes	Yes
SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES (168)	SHA	Yes	Yes	Yes
SSL_RSA_WITH_AES_128_CBC_SHA	RSA	AES (128)	SHA	Yes	Yes	Yes
SSL_RSA_WITH_AES_256_CBC_SHA	RSA	AES (256)	SHA	Yes	Yes	Yes
TLS_RSA_WITH_AES_128_CBC_SHA256	RSA	AES (128)	SHA256	No	No	Yes
TLS_RSA_WITH_AES_256_CBC_SHA256	RSA	AES (256)	SHA256	No	No	Yes
TLS_RSA_WITH_AES_128_GCM_SHA256	RSA	AES (128)	SHA256	No	No	Yes
TLS_RSA_WITH_AES_256_GCM_SHA384	RSA	AES (256)	SHA384	No	No	Yes
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ECDSA	AES (128)	SHA	Yes	Yes	Yes
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ECDSA	AES (256)	SHA	Yes	Yes	Yes
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	ECDSA	AES (128)	SHA256	No	No	Yes
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	ECDSA	AES (256)	SHA384	No	No	Yes
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDSA	AES (128)	SHA256	No	No	Yes
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDSA	AES (256)	SHA384	No	No	Yes

E.4.5 SSLEngine

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 11–1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.

Category	Value
Syntax	SSLEngine on|off
Example	SSLEngine on
Default	off

E.4.6 SSLFIPS

This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on followed by SSLFIPS off or similar). The mode applies to all SSL library operations.

Category	Value
Syntax	SSLFIPS ON | OFF
Example	SSLFIPS ON
Default	Off

Configuring an SSLFIPS change requires that the SSLFIPS on/off directive be set globally in ssl.conf. Virtual level configuration is disabled in the SSLFIPS directive. Hence, setting SSLFIPS to virtual directive will result in an error.

The cipher suites supported in SSLFIPS mode are:

Table E-3 Cipher Suites Supported by SSLFIPS

Cipher Suite	Protocol
SSL_RSA_WITH_3DES_EDE_CBC_SHA	TLSv1.0 and greater
SSL_RSA_WITH_AES_128_CBC_SHA	TLSv1.0 and greater
SSL_RSA_WITH_AES_256_CBC_SHA	TLSv1.0 and greater
TLS_RSA_WITH_AES_128_CBC_SHA256	TLSv1.2
TLS_RSA_WITH_AES_256_CBC_SHA256	TLSv1.2
TLS_RSA_WITH_AES_128_GCM_SHA256	TLSv1.2
TLS_RSA_WITH_AES_256_GCM_SHA384	TLSv1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	TLSv1.0 and greater
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	TLSv1.0 and greater
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	TLSv1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	TLSv1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	TLSv1.2
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	TLSv1.2

Note:

• To use the TLS_ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The TLS_ECDHE_ECDSA cipher suite does not work with RSA certificates.

• To use the SSL_RSA/TLS_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/TLS_RSA cipher suite does not work with ECC certificates.

  For more information on configuring ECC/RSA certificates in a wallet, see "Creating and Viewing Oracle Wallets with orapki" in Administering Oracle Fusion Middleware.

For instructions on how to implement these cipher suites and corresponding protocols, see Section E.4.4, "SSLCipherSuite" and Section E.4.12, "SSLProtocol".

For more information on SSL FIPS 140-2 Standard for Oracle HTTP Server 11.1.1.9, see My Oracle Support Knowledge Database Doc ID 2115681.1 at https://support.oracle.com/.

E.4.7 SSLLog

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Category	Value
Syntax	SSLLog path/to/file
Example	SSLLog
Default	None

E.4.8 SSLLogLevel

Specifies the verbosity degree of the SSL engine log file. The degrees, or levels, are (in ascending order, where each level is included in the levels preceding it):

• none: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog directive.

• error: Only messages of the type 'error' (conditions that stop processing) are logged.

• warn: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged.

• info: Messages that summarize major processing actions are logged.

• trace: Messages that summarize minor processing actions are logged.

• debug: Messages that summarize development and low-level I/O operations are logged.

Category	Value
Syntax	SSLLogLevel none | error | warn | info | trace | debug
Example	SSLLogLevel error
Default	None

E.4.9 SSLMutex

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes. Accepted values are:

• file:path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot. This setting is not available on Windows.

• none: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled.

• pthread: This directive tells the SSL Module to use Posix thread mutexes. It is only available if the underlying platform and Apache Portable Runtime (APR) supports it.

• sem: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.

Category	Value
Syntax	SSLMutex none | file | pthread | sem
Example	SSLMutex file:/usr/local/apache/logs/ssl_mutex
Default	pthread

Notes:

• In the Oracle HTTP Server default ssl.conf template file, pthread is defined as the default value for the SSLMutex directive for non-Windows platforms and none is defined as a default value for the Windows platform as follows:

  <IfModule mpm_winnt_module>
     SSLMutex "none"
  </IfModule>
  <IfModule !mpm_winnt_module>
     SSLMutex pthread
  </IfModule>
   
  

  As new Oracle HTTP Server instances are created for non-Windows platforms, the default value for SSLMutex will continue to be pthread unless you explicitly modify your configuration. If you comment out these lines in the ssl.conf file and no value is specified for SSLMutex in the Oracle HTTP Server configuration files, then Oracle HTTP Server will use none as the default value for SSLMutex.

• The none value for the SSLMutex directive is not recommended for non-Windows platforms, because it can create a garbled session cache and can lead to core dumps.

E.4.10 SSLOptions

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Accepted values are:

• StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.

• ExportCertData: Enables the following additional CGI/SSI variables:

  SSL_SERVER_CERT

  SSL_CLIENT_CERT

  SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)

  These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.

  SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.

• FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.

• StrictRequire: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.

  Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.

• CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.

• OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.

Category	Value
Syntax	SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate
Example	SSLOptions -StdEnvVars
Default	None

E.4.11 SSLPassPhraseDialog

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet. Accepted if values are:

• builtin: when the server is started, mod_ossl prompts for a password for each wallet.

  This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN.

• exec:path/to/program - when the server is started, mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA or DSA.

Category	Value
Syntax	SSLPassPhraseDialog builtin | exec
Example	SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter
Default	builtin

E.4.12 SSLProtocol

Note:

The SSLv2 protocol is no longer supported by Oracle HTTP Server. The SSLv3 protocol is supported for backwards compatibility, but because of security concerns, it is disabled out-of-the-box in the Oracle HTTP Server 11.1.1.9 release.

You can configure the SSLv3 protocol by explicitly entering SSLv3 in the SSLProtocol directive. However, Oracle strongly discourages the use of SSLv3 and logs a warning message cautioning you about the use of an insecure protocol. The following ciphers can be used with an SSLv3 configuration:

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_AES_128_CBC_SHA

• SSL_RSA_WITH_AES_128_CBC_SHA

If you are upgrading from an earlier release of Oracle HTTP Server, the SSLv3 and/or SSLv2 security protocol might be a part of your configuration. Oracle strongly recommends that you disable any SSLv3 or SSLv2 configuration from Oracle HTTP Server. See Section 8.9, "Disable SSLv2 and SSLv3 Security Protocols."

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:

• TLSv1

• TLSv1.1

• TLSv1.2

• All

You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:

• + : Adds the protocol to the list

• - : Removes the protocol from the list

In the current release, All is defined as +TLSv1 +TLSv1.1 +TLSv1.2 (SSLv2 is not supported and SSLv3 is disabled out-of-the-box.)

Table E-2 lists the ciphers that are available for the TLSv1, TLSv1.1, and TLSv1.2 protocols.

In the current release, you can specify the value for this directive using the OpenSSL format. The nzos* formats have been deprecated and their use should be avoided.

Protocol Name	OpenSSL Format	nzos* Format (Deprecated)
TLS version 1.0	TLSv1	nzos_Version_1_0
TLS version 1.1	TLSv1.1	nzos_Version_1_1
TLS version 1.2	TLSv1.2	nzos_Version_1_2

Category	Value
Syntax	SSLProtocol [+-] TLSv1 | TLSv1.1 | TSLv1.2 | All
Example	SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
Default	ALL

E.4.13 SSLProxyCipherSuite

Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table E-1 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following values:

• none: Adds the cipher to the list

• + : Adds the cipher to the list and places it in the correct location in the list

• - : Removes the cipher from the list (which can be added later)

• ! : Removes the cipher from the list permanently

Tags are joined with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table E-1.

Category	Value
Example	SSLProxyCipherSuite ALL:!MD5 In this example, all ciphers are specified except MD5 strength ciphers.
Syntax	SSLProxyCipherSuite cipher-spec
Default	ALL:!ADH:+HIGH:+MEDIUM

The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.1.3, see Table E-2.

E.4.14 SSLProxyEngine

Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost> section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.

SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy or ProxyRequest directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.

Category	Value
Syntax	SSLProxyEngine ON | OFF
Example	SSLProxyEngine on
Default	Disable

E.4.15 SSLProxyProtocol

Specifies SSL protocol(s) for mod_ossl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:

• TLSv1

• TLSv1.1

• TLSv1.2

• All

You can specify multiple values as a space-delimited list. In the syntax for SSLProxyProtocol, the "-" and "+" symbols have the following meaning:

• + : Adds the protocol to the list

• - : Removes the protocol from the list

In the current release All is defined as +TLSv1 +TLSv1.1 +TLSv1.2 (SSLv2 is not supported and SSLv3 is disabled out-of-the-box).

Category	Value
Syntax	SSLProxyProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All
Example	SSLProxyProtocol +TLSv1 +TLSv1 +TLSv1.1
Default	ALL

E.4.16 SSLProxyWallet

Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection must use.

Category	Value
Syntax	SSLProxyWallet file:path to wallet
Example	SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy"
Default	None

E.4.17 SSLRequire

Denies access unless an arbitrarily complex boolean expression is true.

Category	Value
Syntax	SSLRequire expression (see Understanding the Expression)
Example	SSLRequire word ">=" word |word "ge" word
Default	None

Understanding the Expression

The expression must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table E-4 and Table E-5 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table E-4 lists the standard variables for SSLRequire varname.

Table E-4 Standard Variables for SSLRequire Varname

Standard Variables	Standard Variables	Standard Variables
HTTP_USER_AGENT	PATH_INFO	AUTH_TYPE
HTTP_REFERER	QUERY_STRING	SERVER_SOFTWARE
HTTP_COOKIE	REMOTE_HOST	API_VERSION
HTTP_FORWARDED	REMOTE_IDENT	TIME_YEAR
HTTP_HOST	IS_SUBREQ	TIME_MON
HTTP_PROXY_CONNECTION	DOCUMENT_ROOT	TIME_DAY
HTTP_ACCEPT	SERVER_ADMIN	TIME_HOUR
HTTP:headername	SERVER_NAME	TIME_MIN
THE_REQUEST	SERVER_PORT	TIME_SEC
REQUEST_METHOD	SERVER_PROTOCOL	TIME_WDAY
REQUEST_SCHEME	REMOTE_ADDR	TIME
REQUEST_URI	REMOTE_USER	ENV:variablename
REQUEST_FILENAME

Table E-5 lists the SSL variables for SSLRequire varname.

Table E-5 SSL Variables for SSLRequire Varname

SSL Variables	SSL Variables	SSL Variables
HTTPS	SSL_PROTOCOL	SSL_CIPHER_ALGKEYSIZE
SSL_CIPHER	SSL_CIPHER_EXPORT	SSL_VERSION_INTERFACE
SSL_CIPHER_USEKEYSIZE	SSL_VERSION_LIBRARY	SSL_SESSION_ID
SSL_CLIENT_V_END	SSL_CLIENT_M_SERIAL	SSL_CLIENT_V_START
SSL_CLIENT_S_DN_ST	SSL_CLIENT_S_DN	SSL_CLIENT_S_DN_C
SSL_CLIENT_S_DN_CN	SSL_CLIENT_S_DN_O	SSL_CLIENT_S_DN_OU
SSL_CLIENT_S_DN_G	SSL_CLIENT_S_DN_T	SSL_CLIENT_S_DN_I
SSL_CLIENT_S_DN_UID	SSL_CLIENT_S_DN_S	SSL_CLIENT_S_DN_D
SSL_CLIENT_I_DN_C	SSL_CLIENT_S_DN_Email	SSL_CLIENT_I_DN
SSL_CLIENT_I_DN_O	SSL_CLIENT_I_DN_ST	SSL_CLIENT_I_DN_L
SSL_CLIENT_I_DN_T	SSL_CLIENT_I_DN_OU	SSL_CLIENT_I_DN_CN
SSL_CLIENT_I_DN_S	SSL_CLIENT_I_DN_I	SSL_CLIENT_I_DN_G
SSL_CLIENT_I_DN_Email	SSL_CLIENT_I_DN_D	SSL_CLIENT_I_DN_UID
SSL_CLIENT_CERT	SSL_CLIENT_CERT_CHAIN_n	SSL_CLIENT_ROOT_CERT
SSL_CLIENT_VERIFY	SSL_CLIENT_M_VERSION	SSL_SERVER_M_VERSION
SSL_SERVER_V_START	SSL_SERVER_V_END	SSL_SERVER_M_SERIAL
SSL_SERVER_S_DN_C	SSL_SERVERT_S_DN_ST	SSL_SERVER_S_DN
SSL_SERVER_S_DN_OU	SSL_SERVER_S_DN_CN	SSL_SERVER_S_DN_O
SSL_SERVER_S_DN_I	SSL_SERVER_S_DN_G	SSL_SERVER_S_DN_T
SSL_SERVER_S_DN_D	SSL_SERVER_S_DN_UID	SSL_SERVER_S_DN_S
SSL_SERVER_I_DN	SSL_SERVER_I_DN_C	SSL_SERVER_S_DN_Email
SSL_SERVER_I_DN_L	SSL_SERVER_I_DN_O	SSL_SERVER_I_DN_ST
SSL_SERVER_I_DN_CN	SSSL_SERVER_I_DN_T	SSL_SERVER_I_DN_OU
SSL_SERVER_I_DN_G	SSL_SERVER_I_DN_I

E.4.18 SSLRequireSSL

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category	Value
Syntax	SSLRequireSSL
Example	SSLRequireSSL
Default	None

E.4.19 SSLSessionCache

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:

• dc:UNIX:/path/to/socket: This makes use of the distcache distributed session caching libraries. The argument should specify the location of the server or proxy to be used using the distcache address syntax; for example, UNIX:/path/to/socket specifies a UNIX domain socket (typically a local dc_client proxy); IP:server.example.com:9001 specifies an IP address.

• none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.

• nonenotnull: This disables any global/inter-process Session Cache. However it does force OpenSSL to send a non-null session ID to accommodate buggy clients that require one.

• shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb is more uniform in all environments when compared to shmht. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.

• shmht:/path/to/datafile[bytes]: Uses a high-performance hash table (bytes specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.

Category	Value
Syntax	SSLSessionCache dc:UNIX:/path/to/socket | none |nonetonull | shmcb:/path/to/datafile[bytes] | shmht: /path/to/datafile[bytes]
Examples	SSLSessionCache shmht: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000) SSLSessionCache shmcb: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)
Default	SSLSessionCache none

E.4.20 SSLSessionCacheTimeout

Specifies the number of seconds before a SSL session in the session cache expires.

Category	Value
Syntax	SSLSessionCacheTimeout seconds
Example	SSLSessionCacheTimeout 120
Default	300

E.4.21 SSLVerifyClient

Specifies whether or not a client must present a certificate when connecting. The accepted values are:

• none: No client certificate is required

• optional: Client may present a valid certificate

• require: Client must present a valid certificate

Category	Value
Syntax	SSLVerifyClient none | optional | require
Example	SSLVerifyClient optional
Default	None

Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

E.4.22 SSLWallet

Specifies the location of the wallet with its WRL, specified as a filepath.

Category	Value
Syntax	SSLWallet file:path to wallet
Example	SSLWallet file:/etc/ORACLE/WALLETS/server
Default	None

E.4.23 SSLWalletPassword

Note:

SSLWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, you should get a SSO wallet, with auto-login enabled, instead.

Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password. If no password is required do not set this directive.

Note:

If you are using a wallet created with the Auto Login feature of Oracle Wallet Manager, do not set this directive because these wallets do not require passwords.

Category	Value
Syntax	SSLWalletPassword password
Example	SSLWalletPassword myWalletPassword
Default	None

E.5 mod_osso

Note:

mod_osso is deprecated. You should use the Webgate plugin to achieve single sign on. For more information, see "Installing and Configuring Oracle HTTP Server 11g Webgate for OAM" in Oracle® Fusion Middleware Installation Guide for Oracle Identity Management.

mod_oddo accepts the following directives:

• OssoConfigFile

• OssoIdleTimeout

• OssoIgnoreUri

• OssoIpCheck

• OssoLegacyApp

• OssoProtectedOnly

• OssoRedirectByForm

• OssoSendCacheHeaders

• OssoHTTPOnly

E.5.1 OssoConfigFile

Specifies the path to osso.conf.

Category	Value
Syntax	OssoConfigFile path/to/osso.conf
Example	OssoConfigFile OracleOHS_Home/ohs/conf/osso/osso.conf
Default	None

E.5.2 OssoIdleTimeout

Specifies whether or not to enable cookie idle timeout.

Category	Value
Syntax	OssoIdleTimeout ON | OFF
Example	OssoIdleTimeout OFF
Default	OFF

E.5.3 OssoIgnoreUri

Identifies which URLs OHS should ignore.

• If ALL is specified, then all URLs are ignored.

• If querystring is specified, URLs matching the query string are ignored.

Category	Value
Syntax	OssoIgnoreUri ALL | querystring string
Example	OssoIgnoreUri ALL or OssoIgnoreUri querystring foo=bar,bar=baz\
Default	No URLs are ignored.

E.5.4 OssoIpCheck

When set to On, the directive enables a weak form of IP spoof checking. The incoming IP address is compared against the ClientIP header value.

Category	Value
Syntax	OssoIpCheck ON | OFF
Example	OssoIpCheck ON
Default	OFF

E.5.5 OssoLegacyApp

Specifies whether or not to enable URI authentication for the location where it was set. When On, URI authentication is enabled.

Category	Value
Syntax	OssoLegacyApp ON | OFF
Example	OssoLegacyApp ON
Default	OFF

E.5.6 OssoProtectedOnly

Specifies whether or not to create a cookie for an application that protects itself via dynamic sso directives. When ON this cookie is created.

Category	Value
Syntax	OssoProtectedOnly ON | OFF
Example	OssoProtectedOnly ON
Default	OFF

E.5.7 OssoRedirectByForm

Specifies whether or not to enable redirect by form. When On, the redirect is enabled.

Category	Value
Syntax	OssoRedirectByForm ON | OFF
Example	OssoRedirectByForm ON
Default	OFF

E.5.8 OssoSecureCookies

Specifies whether or not to enable secure cookies. When set to On, these cookies are enabled.

Category	Value
Syntax	OssoSecureCookies ON | OFF
Example	OssoSecureCookies OFF
Default	ON

E.5.9 OssoSendCacheHeaders

For statically protected pages, this directive specifies whether or not the following headers are sent:

• Pragma: no-cache

• Cache-Control: no-store

• Surrogate-Control: no-store

• Expires: Thu, 01 Jan 1970 12:00:00 GMT

Category	Value
Syntax	OssoSendCacheHeaders ON | OFF
Example	OssoSendCacheHeaders OFF
Default	ON

E.5.10 OssoHTTPOnly

Specifies whether or not to set HTTPOnly in the cookies created by the module. If ON, HTTPOnly is set.

Category	Value
Syntax	OssoHttpOnly ON | OFF
Example	OssoHttpOnly OFF
Default	ON

E.6 mod_plsql

The mod_plsql configuration parameters are described in these sections:

• Section E.6.1, "plsql.conf"

• Section E.6.2, "dads.conf"

• Section E.6.3, "cache.conf"

E.6.1 plsql.conf

The following parameters are used with the plsql.conf file:

• PlsqlDMSEnable

• PlsqlLogEnable

• PlsqlLogDirectory

• PlsqlIdleSessionCleanupInterval

E.6.1.1 PlsqlDMSEnable

Enables Dynamic Monitoring Service (DMS) for the mod_plsql module.

Category	Value
Syntax	PlsqlDMSEnable On | Off
Example	PlsqlDMSEnable On
Default	On

E.6.1.2 PlsqlLogEnable

Enables debug level logging for the mod_plsql module. Debug level logging is meant to be used for debugging purposes only.

When logging is enabled, Oracle HTTP Server log files are typically created in the ORACLE_INSTANCE/diagnostics/logs/OHS/config/OHS/component_name directory. However, the location specified in PlsqlLogDirectory determines the final location.

This parameter should be set to Off unless recommended by Oracle support to debug problems with the mod_plsql module.

To view more details about the internal processing of the mod_plsql module, set this directive to On. This causes the mod_plsql module to start logging every request that is processed. The log files are generated as specified by the PlsqlLogDirectory directive.

Category	Value
Syntax	PlsqlLogEnable On | Off
Example	PlsqlLogEnable Off
Default	Off

E.6.1.3 PlsqlLogDirectory

Specifies the directory where debug level logs are written.

Set the directory name of the location where log files should be generated when logging is enabled. To avoid possible confusion about the location of this directory, an absolute path is recommended.

On UNIX, this directory must have write permissions by the owner of the child httpd processes.

Category	Value
Syntax	PlsqlLogDirectory directory
Example	PlsqlLogDirectory ORACLE_INSTANCE/diagnostics/logs/OHS/component_name
Default	None

E.6.1.4 PlsqlIdleSessionCleanupInterval

Specifies the time (in minutes) in which the idle database sessions should be closed and cleaned by the mod_plsql module.

This directive is used in conjunction with connection pooling of database connections and sessions in the mod_plsql module. When a session is not used for the specified amount of time, it is closed and freed. This is done so that unused sessions can be cleaned, and the memory is freed on the database side.

Setting this time to a low number helps in faster cleanup of unused database sessions. If this number is too low, then this may adversely affect the performance benefits of connection pooling in the mod_plsql module.

If the number of open database sessions is not a concern, you can increase the value of this parameter for best performance. In such a case, if the site is accessed frequently enough that the idle session cleanup interval is never reached for a session, then the DAD configuration parameter PlsqlMaxRequestsPerSession can be modified so that it is guaranteed that a pooled database session gets recycled on a regular basis.

For most installations, the default value is adequate.

Category	Value
Syntax	PlsqlIdleSessionCleanupInterval number
Example	PlsqlIdleSessionCleanupInterval 10
Default	15 (minutes)

E.6.2 dads.conf

The dads.conf file contains the configuration parameters for the PL/SQL database access descriptor. (See Table E-1 for the file location.) A DAD is a set of values that specifies how the mod_plsql module connects to a database server to fulfill a HTTP request.

The following parameters are used with the dads.conf file:

PlsqlAfterProcedure PlsqlAlwaysDescribeProcedure PlsqlAuthenticationMode PlsqlBeforeProcedure PlsqlBindBucketLengths PlsqlBindBucketWidths PlsqlCGIEnvironmentList PlsqlConnectionTimeout PlsqlConnectionValidation PlsqlConnectionValidation PlsqlDatabaseConnectString PlsqlDatabasePassword PlsqlDatabaseUserName PlsqlDefaultPage PlsqlDocumentPath

PlsqlDocumentProcedure PlsqlDocumentTablename PlsqlErrorStyle PlsqlExclusionList PlsqlFetchBufferSize PlsqlInfoLogging PlsqlMaxRequestsPerSession PlsqlNLSLanguage PlsqlPathAlias PlsqlPathAliasProcedure PlsqlRequestValidationFunction PlsqlSessionCookieName PlsqlSessionStateManagement PlsqlTransferMode PlsqlUploadAsLongRaw

E.6.2.1 PlsqlAfterProcedure

Specifies the procedure to be invoked after calling the requested procedure. This enables you to put a hook point after the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call is made after running every procedure.

Category	Value
Syntax	PlsqlAfterProcedure string
Example	PlsqlAfterProcedure portal.mypkg.myafterproc
Default	None

Note:

This parameter should only be used for debugging purposes. In addition, you could use this parameter to stop SQL trace/SQL profiling.

E.6.2.2 PlsqlAlwaysDescribeProcedure

Specifies whether the mod_plsql module should describe a procedure before trying to run it. If this is set to On, then the mod_plsql module will always describe a procedure before invoking it. Otherwise, the mod_plsql module will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.

Category	Value
Syntax	PlsqlAlwaysDescribeProcedure On | Off
Example	PlsqlAlwaysDescribeProcedure On
Default	Off

Note:

This parameter should only be used for debugging purposes.

E.6.2.3 PlsqlAuthenticationMode

Specifies the authentication mode to use for allow access through the DAD. The accepted values for PlsqlAuthenticationMode are Basic, SingleSignOn, GlobalOwa, CustomOwa, PerPackageOwa.

Category	Value
Syntax	PlsqlAuthenticationMode Basic | SingleSignOn | GlobalOwa | CustomOwa | PerPackageOwa
Example	PlsqlAuthenticationMode CustomOwa
Default	Basic

• Basic is the default mode and determines whether or not to ask for username and password if they are not provided with PlsqlDatabaseUsername and PlsqlDatabasePassword. This setting is required for WebDB 2.x applications. If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration.

• SingleSignOn specifies that you want to use Single Sign-On server. This is required for DADs using Oracle9iAS Portal. As already stated the provided username and password need to be the one from your single signon server.

• GlobalOwa, CustomOwa, and PerPackageOwa are used only by very few PL/SQL applications. Custom authentication enables applications to authenticate users within the application itself, not at the database level.

  Authorization is performed by invoking a user-written authorization function. Custom authentication uses a static username/password that is stored in the DAD. It cannot be combined with dynamic username/password authentication. To enable custom authentication, set the level of authentication for PlsqlAuthenticationMode and implement the authorize function.

You should also be aware of the following:

• If the DAD is not using the Basic authentication, then you must include a valid username/password in the DAD configuration. For the Basic mode, to perform dynamic authentication, the DAD username/password parameters must be omitted.

• The SingleSignOn mode is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On. Most customer applications use Basic authentication. Custom authentication modes (GlobalOwa, CustomOwa, and PerPackageOwa) are used by very few PL/SQL applications.

E.6.2.4 PlsqlBeforeProcedure

Specifies the procedure to be invoked before calling the requested procedure. This enables you to put a hook point before the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made before running every procedure.

Category	Value
Syntax	PlsqlBeforeProcedure string
Example	PlsqlBeforeProcedure portal.mypkg.mybeforeproc
Default	None

Note:

This parameter should only be used for debugging purposes. In addition, you could use this parameter to start SQL Trace/SQL Profiling.

E.6.2.5 PlsqlBindBucketLengths

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind lengths to the nearest level.

All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.

Category	Value
Syntax	PlsqlBindBucketLengths number multiline
Example	PlsqlBindBucketLengths 4 PlsqlBindBucketLengths 25 PlsqlBindBucketLengths 125
Default	4,20,100,400

• This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.

• The default should be sufficient for most PL/SQL applications.

• To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.

• After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.

• Consider using flexible parameter passing to reduce the problem.

E.6.2.6 PlsqlBindBucketWidths

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

Specifies the rounding size to use while binding the number of elements in a collection bind. While executing PL/SQL statements, the Oracle database maintains a cache of PL/SQL statements in the shared SQL area, and attempts to reuse the cached statement if the same statement is run again. Oracle's matching criteria requires that the statement texts be identical, and that the bind variable data types match. Unfortunately, the type match for strings is sensitive to the exact byte size specified, and for collection bindings is also sensitive to the number of elements in the collection. Since the mod_plsql module binds statements dynamically, the odds of hitting the shared cache are low, and it may fill up with near-duplicates and lead to contention for the latch on the shared area. This parameter reduces that effect by bucketing bind widths to the nearest level.

All numbers specified should be in ascending order. After the last specified size, subsequent bucket sizes will be assumed to be twice the last one.

The last bucket width must be equal to or less than 4000. This is due to the restriction imposed by OCI where array bind widths cannot be greater than 4000.

Category	Value
Syntax	PlsqlBindBucketWidths number multiline
Example	PlsqlBindBucketWidths 40 PlsqlBindBucketWidths 400 PlsqlBindBucketWidths 2000
Default	32,128,1450,2048,4000

• This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure.

• The default should be sufficient for most PL/SQL applications.

• To see if this parameter needs to be changed, check the number of versions of a SQL statement in the SQL area.

• After the higher configured value, mod_plsql starts auto-generating bucket sizes of larger values by doubling the last value, as needed. Therefore, after 400, the next bucket value becomes 800, then 1600, and so on.

• Consider using flexible parameter passing to reduce the problem.

E.6.2.7 PlsqlCGIEnvironmentList

Specifies overrides and additions of CGI environment variables to the default set of environment variables passed to a PL/SQL procedure. This is a multi-line directive of name-value pairs to be added, overridden or removed. You can only specify one environment variable for each directive.

You can add CGI environment variables from the Oracle HTTP Server environment by specifying the variable name. To remove a CGI environment variable, set it equal to blank. To add your own name-value pair, use the syntax myname=myvalue.

Category	Value
Syntax	PlsqlCGIEnvironmentList string multiline
Default	None
Example	To add a new environment variable from the Oracle HTTP Server environment: PlsqlCGIEnvironmentList DOCUMENT_ROOT To remove an environment variable: PlsqlCGIEnvironmentList MYENVAR2= To override from the Oracle HTTP Server environment: PlsqlCGIEnvironmentList REQUEST_PROTOCOL=HTTPS To add your own environment variable: PlsqlCGIEnvironmentList MY_VARNAME=MY_VALUE

• Environment variables added here are available in the PL/SQL application through the function owa_util.get_cgi_env.

E.6.2.8 PlsqlConnectionTimeout

Specifies the timeout in milliseconds for testing a connection pool in the mod_plsql module.

Category	Value
Syntax	PlsqlConnectionTimeout number
Example	PlsqlConnectionTimeout 5000
Default	10000 (milliseconds)

When PlsqlConnectionValidation is set to Automatic or AlwaysValidate, the mod_plsql module attempts to test pooled database connections. This parameter specifies the maximum time the mod_plsql module should wait for the test request to complete before it assumes that the connection is not usable.

E.6.2.9 PlsqlConnectionValidation

Specifies the mechanism the mod_plsql module should use to detect terminated connections in its connection pool.

Note:

This configuration property is rarely ever changed, and system defaults suffice in almost all cases.

For performance reasons, the mod_plsql module pools database connections. If a database instance goes down, and the mod_plsql module was maintaining a pool of connections to the instance, then each pooled database connection results in an error when it is next used to service a request. This can be a concern in high availability configurations such as RAC where even if one node goes down, other nodes servicing the database might have been able to service the request successfully. The mod_plsql module provides for a mechanism whereby it can self-correct after it detects a failure that could be caused by a database node going down. This mechanism to self-correct is controlled by the parameter PlsqlConnectionValidation.

The following are the valid values for PlsqlConnectionValidation:

• Automatic: The mod_plsql module tests all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.

• ThrowAwayOnFailure: The mod_plsql module throws away all pooled database connections which were created prior to the detection of a failure that could mean an instance failure.

• AlwaysValidate: The mod_plsql module always tests all pooled database connections which were created prior to issuing a request. Since this option has an associated performance overhead for each request, this should be used with caution.

• NeverValidate: The mod_plsql module never pings any pooled database connection.

Category	Value
Syntax	PlsqlConnectionValidation Automatic | ThrowAwayOnFailure | AlwaysValidate | NeverValidate
Example	PlsqlConnectionValidation ThrowAwayOnFailure
Default	Automatic

When the mod_plsql module encounters one of the following errors, it assumes that the database may have been down.

• 00443 — background process <string> did not start

• 00444 — background process <string> failed while starting

• 00445 — background process did not start after <x> seconds

• 00447 — fatal error in background processes

• 00448 — normal completion of background process

• 00449 — background process <string> unexpectedly terminated with error

• 00470 — LGWR process terminated with error

• 00471 — DBWR process terminated with error

• 00472 — PMON process terminated with error

• 00473 — ARCH process terminated with error

• 00474 — SMON process terminated with error

• 00475 — TRWR process terminated with error

• 00476 — RECO process terminated with error

• 00480 — LCK* process terminated with error

• 00481 — LMON process terminated with error

• 00482 — LMD* process terminated with error

• 00484 — LMS* process terminated with error

• 00485 — DIAG process terminated with error

• 01014 — ORACLE shutdown in progress

• 01033 — ORACLE initialization or shutdown in progress

• 01034 — ORACLE not available

• 01041 — internal error. hostdef extension doesn't exist

• 01077 — background process initialization failure

• 01089 — immediate shutdown in progress- no operations permitted

• 01090 — shutdown in progress- connection is not permitted

• 01091 — failure during startup force

• 01092 — ORACLE instance terminated. Disconnection forced

• 03106 — fatal two-task communication protocol error

• 03113 — end-of-file on communication channel

• 03114 — not connected to ORACLE

• 12570 — TNS: packet reader failure

• 12571 — TNS: packet writer failure

E.6.2.10 PlsqlDatabaseConnectString

Specifies the connection to an Oracle database.

Category	Value
Syntax	PlsqlDatabaseConnectString string {ServiceNameFormat | SIDFormat | TNSFormat | NetServiceNameFormat} The string parameter depends on the second argument: If the second argument is ServiceNameFormat, string is HOST:PORT:SERVICE_NAME, where HOST is the host name running the database, PORT is the port number the TNS listener is listening at, and SERVICE_NAME is the database service name. An IPv6 address can be specified using the format [IPv6_ADDRESS]:PORT:SERVICE_NAME. If the second argument is SIDFormat, string is HOST:PORT:SID where HOST is the host name running the database, PORT is the port number the TNS listener is listening at, and SID is the database SID. An IPv6 address can be specified using the format [IPv6_ADDRESS]:PORT:SID. If the second argument is TNSFormat, string is a valid TNS alias that can be resolved using Net8 utilities like tnsping and SQL*Plus. If the second argument is NetServiceNameFormat, string is a valid net service name that can be resolved to a connect descriptor. A connect descriptor is a specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information. If the format argument is not specified, then the mod_plsql module assumes the string is either in the HOST:PORT:SID format, or resolvable by Net8. The differentiation between the two is made by the presence of the colon in the specified string. It is recommended that newer DADs do not use the SIDFormat syntax. This exists only for backward compatibility reasons. Use the new two argument format for newly created DADs.
Example	PlsqlDatabaseConnectString example.com:1521:myhost.iasdb.inst ServiceNameFormat PlsqlDatabaseConnectString [2001:DB8:f1ff:f1ff]:1521:myhost.iasdb.inst ServiceNameFormat PlsqlDatabaseConnectString example.com:1521:iasdb SIDFormat PlsqlDatabaseConnectString [2001:DB8:ff1ff:f1ff]:1521:iasdb SIDFormat PlsqlDatabaseConnectString myhost_tns TNSFormat PlsqlDatabaseConnectString cn=oracle,cn=iasdb NetServiceNameFormat PlsqlDatabaseConnectString (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=example.com)(Port= 1521))(CONNECT_DATA=(SID=iasdb))) TNSFormat PlsqlDatabaseConnectString myhost_tns PlsqlDatabaseConnectString example.com:1521:iasdb
Default	None

• If the database is running in the same Oracle home, or the environment variable TWO_TASK is set, then this parameter need not be specified.

• If the database is running in a separate Oracle home, then this parameter is mandatory.

• If you have problems connecting to the database:

  • Check the username and password information in the DAD.

  • Make sure that you run tnsping db_connect_string, and commands such as:

    sqlplus DADUsername/DADPassword@db_connect_string
    

  • Ensure that TNS_ADMIN is configured properly.

  • Verify that the HOST:PORT:SERVICE_NAME format works correctly.

  • Ensure that the TNS listener and database are up and running.

  • Ensure that you can ping the host from this machine.

• From a the mod_plsql module perspective, TNSFormat and NetServiceNameFormat are synonymous and denote connect descriptors that are resolved by Net8. The TNSFormat is provided as a convenience so that end-users use this to signify that the name resolution happens through the local tnsnames.ora. For situations where the resolution is through an LDAP lookup as configured in sqlnet.ora, it is recommended that the format specifier of NetServiceNameFormat be used.

  If your database supports high availability, for example, Oracle Real Application Clusters database, it is highly recommended that you use the NetServiceNameFormat such that the resolution for the net service name is through LDAP. This enables you to add or remove RAC nodes accessible through the mod_plsql module by changing Oracle Internet Directory with the new or deleted node information. In such situations, hard-coding database listener HOST:PORT information in dads.conf or in the local tnsnames.ora is not recommended.

E.6.2.11 PlsqlDatabasePassword

Specifies the password to use to log in to the database.

Category	Value
Syntax	PlsqlDatabasePassword string
Example	PlsqlDatabasePassword tiger
Default	None

• This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.

• For DADs using SingleSignOn authentication, this parameter uses the name of the schema owner.

After making manual configuration changes to DAD passwords, you should obfuscate the DAD passwords by running the dadTool.pl script, located in ORACLE_HOME/bin.

To obfuscate DAD passwords:

1. If necessary, change the user to the Oracle software owner user, typically oracle, using the following command:

   $ su - oracle
   

2. Set the ORACLE_HOME environment variable to specify the path to the Oracle home directory for the current release, and set the PATH environment variable to include the directory containing the Perl executable and the location of the dadTool.pl script.

   Bourne, Bash, or Korn shell:

   $ ORACLE_HOME=new_ORACLE_HOME_path;export ORACLE_HOME
   $ PATH=ORACLE_HOME/bin:ORACLE_HOME/perl/bin:$PATH;export PATH
   

   C or tcsh shell:

   % setenv ORACLE_HOME new_ORACLE_HOME_PATH
   % setenv PATH ORACLE_HOME/bin:ORACLE_HOME/perl/bin:PATH
   

   On Microsoft Windows, set the PATH and PERL5LIB environment variable:

   set PATH=ORACLE_HOME\bin;ORACLE_HOME\perl\bin;%PATH%
   set PERL5LIB=ORACLE_HOME\perl\lib
   

3. On UNIX platforms, set the shared library path environment variable.

   Include the ORACLE_HOME/lib or lib32 directory in your shared library path. Table E-6 shows the appropriate directory and environment variable for each platform.

   Table E-6 Shared Library Path Environment Variable

   Platform	Environment Variable	Include Directory
   AIX Based Systems	LIBPATH	ORACLE_HOME/lib
   HP-UX PA-RISC	SHLIB_PATH	ORACLE_HOME/lib
   Solaris Operating System	LD_LIBRARY_PATH	ORACLE_HOME/lib32
   Other UNIX platforms, including Linux and HP Tru64 UNIX	LD_LIBRARY_PATH	ORACLE_HOME/lib

   
   

   For example, on HP-UX PA-RISC systems, set the SHLIB_PATH environment to include the ORACLE_HOME/lib directory:

   $SHLIB_PATH=$ORACLE_HOME/lib:$SHLIB_PATH;export SHLIB_PATH
   

4. Change directory to the mod_plsql configuration directory for the current release of Oracle HTTP Server:

   cd ORACLE_HOME/bin
   

5. Invoke the following Perl script to obfuscate DAD password:

   perl dadTool.pl -f dadfilename
   

   where dadfilename is the filename for dads.conf, which includes the full path to the DAD file.

   For example:

   perl dadTool.pl -f /u01/app/oracle/as11gr1/ORACLE_INSTANCE/config/OHS/component_name/mod_plsql/dads.conf
   

E.6.2.12 PlsqlDatabaseUserName

Specifies the username to use to log in to the database.

Category	Value
Syntax	PlsqlDatabaseUsername string
Example	PlsqlDatabaseUsername scott
Default	None

• This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication.

• For DADs using SingleSignOn authentication, this parameter is the name of the schema owner.

E.6.2.13 PlsqlDefaultPage

Specifies the default procedure to call if none is specified in the URL.

Category	Value
Syntax	PlsqlDefaultPage string
Example	PlsqlDefaultPage myschema.mypackage.home
Default	None

You can also use Oracle HTTP Server Rewrite rules to achieve the same effect as you get by setting this configuration parameter.

E.6.2.14 PlsqlDocumentPath

Specifies a virtual path in the URL that initiates document download from the document table. For example, if this parameter is set to docs, then the following URLs will start the document downloading process for URLs of the format:

/pls/dad/docs
/pls/plsqlapp/docs

Category	Value
Syntax	PlsqlDocumentPath string
Example	PlsqlDocumentPath docs
Default	docs

Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.15 PlsqlDocumentProcedure

Specifies the procedure to call when a document download is initiated. This procedure is called to process the download.

Category	Value
Syntax	PlsqlDocumentProcedure string
Example	PlsqlDocumentProcedure portal.wwdoc_process.process_download
Default	None

Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.16 PlsqlDocumentTablename

Specifies the table in the database to which all documents are uploaded.

Category	Value
Syntax	PlsqlDocumentTablename string
Example	PlsqlDocumentTablename myschema.document_table
Default	None

Omit this parameter for applications that do not perform document uploads or downloads.

E.6.2.17 PlsqlErrorStyle

Specifies the error reporting mode for mod_plsql errors.

Category	Value
Syntax	PlsqlErrorStyle {ApacheStyle | ModplsqlStyle | DebugStyle} ApacheStyle: The mod_plsql module indicates to Oracle HTTP Server the HTTP error that was encountered. Oracle HTTP Server then generates the error page. This can be used with the Oracle HTTP Server ErrorDocument directive to produce customized error messages. ModplsqlStyle: The mod_plsql module generates the error pages, usually a short message indicating the PL/SQL error encountered and PL/SQL exception stack, if any. For example: scott.foo PROCEDURE NOT FOUND DebugStyle: This mode provides more details than ModplsqlStyle. The mod_plsql module provides more details about the URL and parameters, and also produces server configuration information. This mode is for debugging purposes only. Do not use this in a production system, since displaying internal server variables could be a security risk.
Example	PlsqlErrorStyle ModplsqlStyle
Default	ApacheStyle

E.6.2.18 PlsqlExclusionList

Specifies a pattern for procedures, packages, or schema names which are forbidden to be directly run from a browser. This is a multi-line directive in which each pattern is on a separate line. The pattern is not case sensitive and can accept a wildcard such as an asterisk (*). The default patterns disallowed from direct URL access are as follows:

• sys.*

• dbms_*

• utl_*

• owa_util*

• owa.*

• htp.*

• htf.*

• wpg_docload.*

Setting this directive to #NONE# will disable all protection. This is strongly discouraged for an active site and should not be done. It may be used for debugging purposes.

If this parameter is overridden, the defaults still apply, which means that you do not have to explicitly add the default list to the list of excluded patterns.

Category	Value
Syntax	PlsqlExclusionList {string | "#NONE#" multiline}
Example	PlsqlExclusionList myschema.private.* PlsqlExclusionList myschema.private1.* will disallow access to URLs which contain one of: sys.*, dbms_*, utl_*, owa_util*, owa.*, htp.*, htf.*, wpg_docload.*, myschema.private.*, myschema.private1.* PlsqlExclusionList "#NONE#" will disable all protection. Its use is strongly discouraged for an active site.
Default	sys.* dbms_* utl_* owa_util* owa.* htp.* htf.* wpg_docload.*

• In addition to the patterns specified with this parameter, the mod_plsql module disallows any procedure name which contains the following special characters:

  • tabs

  • new lines

  • carriage-return

  • single quotation mark

  • reverse slash

  • form feed

  • left parenthesis

  • right parenthesis

  • space

  This cannot be changed.

E.6.2.19 PlsqlFetchBufferSize

Specifies the number of rows of content to fetch from the database for each trip, using either owa_util.get_page or owa_util.get_page_raw.

By default, the mod_plsql module attempts to fetch 200 response lines of output where each line is of 255 bytes. In situations where the response bytes are single-bytes, the response buffer is populated to the maximum and can pack 255*200=51000 bytes for each round trip. For responses containing multi-byte data, the byte packing for each row could be less than ideal resulting in lesser bytes getting transferred for each round trip. If your application generates large pages frequently and the response does not fit in one round trip, then consider setting this parameter higher. The memory usage for the mod_plsql module will increase.

Category	Value
Syntax	PlsqlFetchBufferSize number
Example	PlsqlFetchBufferSize 256
Default	200

• This parameter is changed only for performance reasons. The minimum value for this parameter is 28, but it is seldom reduced.

• Change this parameter only under the following circumstances:

  • The average response page is large and you want to reduce the number of round-trips the mod_plsql module makes to the database to fetch the response.

  • The character set in use is multi-byte, and you want to compensate for the problem of get_page or get_page_raw fetching fewer bytes for each row. Calculations in the PL/SQL Web ToolKit are character-based and in the case of multi-byte characters, OWA packages assume a worst-case character byte size and do not attempt to pack each row to its maximum.

E.6.2.20 PlsqlInfoLogging

Specifies what mode the mod_plsql module should use to do extra performance logging.

InfoDebug mode: This logs more information to the Apache's error_log. This is used in conjunction with Apache's info logging level. If the Apache's logging level is not at least set to this high, this setting will be ignored.

Category	Value
Syntax	PlsqlInfoLogging InfoDebug
Example	PlsqlInfoLogging InfoDebug
Default	Empty

The logging setting is useful for debugging problems in your PL/SQL application.

E.6.2.21 PlsqlMaxRequestsPerSession

Specifies the maximum number of requests a pooled database connection should service before it is closed and re-opened.

Category	Value
Syntax	PlsqlMaxRequestsPerSession number
Example	PlsqlMaxRequestsPerSession 500
Default	1000

• This parameter helps relieve memory and resource problems that may occur due to prolonged session reuse by a PL/SQL application.

• This parameter should not need to be changed. The default is sufficient in most cases.

• Setting this parameter to a low number can degrade performance. A case for a lower value might be an infrequently-used DAD whose performance is not a concern, and for which limiting the number of requests provides some benefit.

E.6.2.22 PlsqlNLSLanguage

Specifies the NLS_LANG variable for this DAD. This parameter overrides the NLS_LANG environment variable. When this parameter is set, the PL/SQL Gateway uses the specified NLS_LANG to connect to the database. Once connected, an alter session command is issued to switch to the specified language and territory. If the middle tier character set matches that of the database, then no alter session call is issued by the mod_plsql module.

Category	Value
Syntax	PlsqlNLSLanguage string
Example	PlsqlNLSLanguage America_America.UTF8
Default	None

• Most applications have PlsqlTransferMode set to CHAR which means that the character set in PlsqlNLSLanguage needs to match the character set of the database. In one special case, where the database and the mod_plsql module are both using fixed-size character sets, and the character set width matches, the character set can be different. The response character set is always the mod_plsql module character set.

• If PlsqlTransferMode is set to RAW, then this parameter can be ignored.

E.6.2.23 PlsqlPathAlias

Specifies a virtual path alias to map to a procedure call. This is application-specific. This directive is used with PlsqlPathAliasProcedure.

Category	Value
Syntax	PlsqlPathAlias string
Example	PlsqlPathAlias url
Default	None

For applications that do not use path aliasing, this parameter may be omitted.

E.6.2.24 PlsqlPathAliasProcedure

Specifies the procedure to call when the virtual path in the URL matches the path alias as configured by PlsqlPathAlias.

Category	Value
Syntax	PlsqlPathAliasProcedure string
Example	PlsqlPathAliasProcedure portal.wwpth_api_alias.process_download
Default	None

For applications that do not use path aliasing, this parameter may be omitted.

E.6.2.25 PlsqlRequestValidationFunction

Specifies an application-defined PL/SQL function which gives you the opportunity to allow and disallow further processing of the requested procedure. This is useful in implementing tight security for your PL/SQL application by blocking out package and procedure calls that should not be allowed to run from a DAD.

The function defined by this parameter must have the following prototype:

boolean function_name (procedure_name IN varchar2)

The procedure_name parameter will contain the name of the procedure that the request is trying to run.

For example, if all the PL/SQL application procedures callable from a browser are inside the package mypkg, then an implementation of this function can be as follows:

boolean my_validation_check (procedure_name varchar2)
is
begin
  if (upper (procedure_name) like upper ('myschema.mypkg%')) then
    return TRUE
  else
    return FALSE
  end if;
end;

Category	Value
Syntax	PlsqlRequestValidationFunction string
Example	PlsqlRequestValidationFunction myschema.mypkg.my_validation_check
Default	none

• By default, the mod_plsql module already disallows direct URL access to certain schemas and packages. For more information, refer to PlsqlExclusionList.

• It is highly recommended that you provide an implementation for this function such that it only allows requests that belong to your application, and are callable from a browser.

• Since this function will be called for every request, be sure to make this function as optimized as possible. Suggested recommendations are:

  • Name your PL/SQL packages in a fashion such that the implementation of this function can be similar to the previous example.

  • If your implementation performs a table lookup to determine what packages and procedures should be allowed, then performance can be improved if you pin the cursor in the shared pool.

E.6.2.26 PlsqlSessionCookieName

Specifies the cookie name when PlsqlAuthenticationMode is set to SingleSignOn. This parameter is supported only for Oracle Fusion Middleware releases, and is used by Oracle Portal and Oracle Single Sign-On.

Category	Value
Syntax	PlsqlSessionCookieName cookie_name
Example	PlsqlSessionCookieName mycookie
Default	Same as DAD name

• For DADs not using SingleSignOn authentication, this parameter can be omitted. In most other cases, the session cookie name should be omitted (and this parameter automatically defaults to the DAD name).

• A session cookie name must be specified only for Oracle Portal instances that need to participate in a distributed Oracle Portal environment. For those Oracle Portal nodes you want to seamlessly participate as a federated cluster, ensure that the session cookie name for all the participating nodes is the same.

• Independent Oracle Portal nodes need to use distinct session cookie names.

E.6.2.27 PlsqlSessionStateManagement

Specifies how package and session state should be cleaned up at the end of each the mod_plsql request.

• StatelessWithResetPackageState causes the mod_plsql module to call dbms_session.reset_package_state at the end of each mod_plsql request. This is the default.

• StatelessWithPreservePackageState causes the mod_plsql module to call htp.init at the end of each mod_plsql request. This cleans up the state of session variables in the PL/SQL Web ToolKit. The PL/SQL application is responsible for cleaning up its own session state. Failure to do so causes erratic behavior, in which a request starts recognizing or manipulating state modified in previous requests.

• StatelessWithFastResetPackageState causes the mod_plsql module to call dbms_session.modify_package_state(dbms_session.reinitialize) at the end of each mod_plsql request. This API is faster than the mode of StatelessWithResetPackageState, and avoids some latch contention issues, but exists only in Oracle database releases 8.1.7.2 and later. This mode uses slightly more memory than the default mode.

Category	Value
Syntax	PlsqlSessionStateManagement {StatelessWithResetPackageState | StatelessWithFastResetPackageState | StatelessWithPreservePackageState}
Example	PlsqlSessionStateManagement StatelessWithPreservePackageState
Default	StatelessWithResetPackageState

• The earlier values of stateful=no or stateful=STATELESS_RESET corresponds to StatelessWithResetPackageState.

• The earlier value of stateful=STATELESS_FAST_RESET corresponds to StatelessWithFastResetPackageState.

• The earlier value of stateful=STATELESS_PRESERVE corresponds to StatelessWithPreservePackageState.

The mod_plsql module does not support stateful mode of operation. To allow PL/SQL applications stateful behavior, save the state in cookies and/or in the database.

E.6.2.28 PlsqlTransferMode

Specifies the transfer mode for data from the database back to the mod_plsql module. Most applications use the default value of CHAR.

Category	Value
Syntax	PlsqlTransferMode {CHAR | RAW}
Example	PlsqlTransferMode CHAR
Default	CHAR

This parameter only needs to be changed to enable sending back responses in different character sets from the same DAD. In such a case, the CHAR mode is useless, since it always converts the response data from the database character set to the mod_plsql character set.

E.6.2.29 PlsqlUploadAsLongRaw

Specifies the file extensions to be uploaded as LONGRAW data type, as opposed to using the default BLOB data type. The default can be overridden by specifying multi-line directives of file extensions for field. A value of asterisk (*) in this field causes all documents to be uploaded as LONGRAW.

Category	Value
Syntax	PlsqlUploadAsLongRaw string multiline
Example	PlsqlUploadAsLongRaw jpg PlsqlUploadAsLongRaw gif
Default	None

For applications that do not upload or download documents, this parameter may be omitted.

E.6.3 cache.conf

The cache.conf file contains the configuration settings for the file system caching functionality implemented in the mod_plsql module. This configuration file is relevant only if PL/SQL applications use the OWA_CACHE package to cache dynamically generated content in the file system.

The following parameters are specified in the cache.conf file:

• PlsqlCacheCleanupTime

• PlsqlCacheDirectory

• PlsqlCacheEnable

• PlsqlCacheMaxAge

• PlsqlCacheMaxSize

• PlsqlCacheTotalSize

E.6.3.1 PlsqlCacheCleanupTime

Specifies the time to start the cleanup of the cache storage.

This setting defines the exact day and time in which cleanup should occur. The frequency can be set as daily, weekly, and monthly.

• To define daily frequency, the keyword Everyday is used. The cleanup starts every day at the time defined. For example, Everyday 2:00 causes the cleanup to happen everyday at 2:00 a.m. (local time).

• To define weekly frequency, the days of the week, (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday) are used. For example, Wednesday 15:30 causes the cleanup to happen every Wednesday at 3:30 p.m. (local time).

• To define monthly frequency, the keyword Everymonth is used. The cleanup starts on the Saturday of the month at the time defined. For example, Saturday Everymonth 23:00 causes the cleanup to happen the first Saturday of every month at 11:00 p.m. (local time).

Category	Value
Syntax	PlsqlCacheCleanupTime {Sunday-Saturday | Everyday | Everymonth} {hh:mm}
Example	PlsqlCacheCleanupTime Monday 20:00
Default	Saturday 23:00

E.6.3.2 PlsqlCacheDirectory

Specifies the directory where cache files are written out by the mod_plsql module. This directory must exist or Oracle HTTP Server will not start.

On UNIX, this directory must have write permissions by the owner of the child httpd processes.

Category	Value
Syntax	PlsqlCacheDirectory directory
Example	PlsqlCacheDirectory ORACLE_INSTANCE/OHS/component_name
Default	none

E.6.3.3 PlsqlCacheEnable

Enables mod_plsql caching.

Category	Value
Syntax	PlsqlCacheEnable {On | Off}
Example	PlsqlCacheEnable On
Default	Off

If an application does not make use of the OWA_CACHE package in the PL/SQL Web Toolkit, then you can choose to disable caching. In such situations, there will be a minor performance benefit.

E.6.3.4 PlsqlCacheMaxAge

Specifies the maximum time, in days, a cache file can reside in a file system cache, after which the cached file will be removed for cache maintenance.

This setting is to ensure that the cache system does not contain old content. This setting removes old cache files and makes space for new ones.

Category	Value
Syntax	PlsqlCacheMaxAge number
Example	PlsqlCacheMaxAge 20
Default	30 (days)

E.6.3.5 PlsqlCacheMaxSize

Specifies the maximum possible size of a cache file.

This setting prevents the case in which one file can fill up the entire cache. In general, it is recommended that this be set to about 1-3 percent of the total cache size, which is specified by PlsqlCacheTotalSize.

Category	Value
Syntax	PlsqlCacheMaxSize number
Example	PlsqlCacheMaxSize 1048576
Default	1048576

E.6.3.6 PlsqlCacheTotalSize

Specifies the total size of the cache directory. The default is 20 MB.

This setting limits the amount of space the cache is allowed to use. Both PL/SQL cache and Session Cookie cache share this cache space. This setting is not a hard limit. It might exceed the limit temporarily during normal processing. This is normal behavior.

The cleanup algorithm uses this setting to determine how much to reduce the cache files. Therefore, the real space limit is the physical storage's available size.

This parameter takes bytes as values:

• 1 megabytes = 1048576 bytes

• 10 megabytes = 10485760 bytes

Category	Value
Syntax	PlsqlCacheTotalSize number
Example	PlsqlCacheTotalSize 20971520
Default	20971520 (bytes)

E.7 mod_wl_ohs

mod_wl_ohs accepts the following directives:

ConnectRetrySecs ConnectTimeoutSecs Debug DebugConfigInfo DefaultFileName DynamicServerList ErrorPage FileCaching Idempotent KeepAliveEnabled KeepAliveSecs MatchExpression MaxPostSize MaxSkipTime PathPrepend PathTrim QueryFromRequest WebLogicCluster

WebLogicHost WebLogicPort WebLogicSSLVersion WLCookieName WLDNSRefreshInterval WLExcludePathOrMimeType WLForwardUriUnparsed WLIOTimeoutSecs WLLocalIP WLLogFile WLProxyPassThrough WLProxySSL WLProxySSLPassThrough WLServerInitiatedFailover WLSocketTimeoutSecs WLSRequest WLTempDir

Note:

mod_wl_ohs directives are the same as those accepted by mod_wl.

E.7.1 ConnectRetrySecs

Interval in seconds that the plug-in should sleep between attempts to connect to the WebLogic Server host (or all of the servers in a cluster). Make this number less than the ConnectTimeoutSecs. The number of times the plug-in tries to connect before returning an HTTP 503/Service Unavailable response to the client is calculated by dividing ConnectTimeoutSecs by ConnectRetrySecs. To specify no retries, set ConnectRetrySecs equal to ConnectTimeoutSecs. However, the plug-in attempts to connect at least twice.You can customize the error response by using the ErrorPage directive.

Category	Value
Syntax	ConnectRetrySecs secs
Example	ConnectRetrySecs 10
Default	2

E.7.2 ConnectTimeoutSecs

Maximum time in seconds that the plug-in should attempt to connect to the WebLogic Server host. Make the value greater than ConnectRetrySecs. If ConnectTimeoutSecs expires without a successful connection, even after the appropriate retries (see ConnectRetrySecs), an HTTP 503/Service Unavailable response is sent to the client. You can customize the error response by using the ErrorPage directive.

Category	Value
Syntax	ConnectTimeoutSecs secs
Example	ConnectTimeoutSecs 120
Default	10

E.7.3 Debug

Sets the type of logging performed for debugging operations. The debugging information is written to the /tmp/wlproxy.log file on UNIX systems and c:\TEMP\wlproxy.log on Windows NT/2000 systems.

Override this location and filename by setting the WLLogFile parameter to a different directory and file. (See the WLTempDir parameter for an additional way to change this location.)

Ensure that the tmp or TEMP directory has write permission assigned to the user who is logged in to the server. Set any of the following logging options (HFC,HTW,HFW, and HTC options may be set in combination by entering them separated by commas, for example ”HFC,HTW”):

• ON - The plug-in logs informational and error messages.

• OFF - No debugging information is logged.

• HFC - The plug-in logs headers from the client, informational, and error messages.

• HTW - The plug-in logs headers sent to WebLogic Server, and informational and error messages.

• HFW - The plug-in logs headers sent from WebLogic Server, and informational and error messages.

• HTC - The plug-in logs headers sent to the client, informational messages, and error messages.

• ERR - Prints only the Error messages in the plug-in.

• ALL - The plug-in logs headers sent to and from the client, headers sent to and from WebLogic Server, information messages, and error messages.

Category	Value
Syntax	Debug ON | OFF | HFC | HTW | HFW | HTC | ERR | ALL
Example	Debug HFC,HTW,HTC
Default	OFF

E.7.4 DebugConfigInfo

Enables the special query parameter ”__WebLogicBridgeConfig”. Use it to get details about configuration parameters from the plug-in.For example, if you enable ”__WebLogicBridgeConfig” by setting DebugConfigInfo and then send a request that includes the query string ?__WebLogicBridgeConfig, then the plug-in gathers the configuration information and run-time statistics and returns the information to the browser. The plug-in does not connect to WebLogic Server in this case. This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems.

Category	Value
Syntax	DebugConfigInfo OFF | ON
Example	DebugConfigInfo ON
Default	OFF

E.7.5 DefaultFileName

Sets the default welcome page of the Web Application in WebLogic Server to which requests are being proxied.

If the URI is ”/” then the plug-in performs the following steps:

1. Trims the path specified with the PathTrim parameter.

2. Appends the value of DefaultFileName.

3. Prepends the value specified with PathPrepend.

This procedure prevents redirects from WebLogic Server. For example, If the DefaultFileName is set to welcome.html, an HTTP request like ”http://somehost/weblogic” becomes ”http://somehost/weblogic/welcome.html”. For this parameter to function, the same file must be specified as a welcome file in all the Web Applications to which requests are directed. For more information, see Configuring Welcome Pages.

Apache users:

If you are using Stronghold or Raven versions, define this parameter inside of a Location block, and not in an IfModule block. Oracle

Category	Value
Syntax	DefaultFileName "http://path/to/file"
Example	DefaultFileName ”http://somehost/weblogic”
Default	none

E.7.6 DynamicServerList

When set to OFF, the plug-in ignores the dynamic cluster list used for load balancing requests proxied from the plug-in and only uses the static list specified with the WebLogicCluster parameter. Normally this parameter should remain set to ON.

There are some implications for setting this parameter to OFF:

• If one or more servers in the static list fails, the plug-in could waste time trying to connect to a dead server, resulting in decreased performance.

• If you add a new server to the cluster, the plug-in cannot proxy requests to the new server unless you redefine this parameter. WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.

Category	Value
Syntax	DynamicServerList ON | OFF
Example	DynamicServerList OFF
Default	ON

E.7.7 ErrorPage

Sets the error page that appears whenever your Web server is unable to forward requests to WebLogic Server. You can create your own error page. The plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.

Category	Value
Syntax	ErrorPage
Example	ErrorPage
Default	none

E.7.8 FileCaching

Specifies whether or not file caching is enabled. When set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes. This preserves the POST data during failover, allowing all necessary data to be repeated to the secondary if the primary goes down.

Note that when FileCaching is ON, any client that tracks the progress of the POST will see that the transfer has completed even though the data is still being transferred between the WebServer and WebLogic. So, if you want the progress bar displayed by a browser during the upload to reflect when the data is actually available on the WebLogic Server, you might not want to have FileCaching ON.

When set to OFF and the size of the POST data in a request is greater than 2048 bytes, the reading of the POST data is postponed until a WebLogic Server cluster member is identified to serve the request. Then the plug-in reads and immediately sends the POST data to the WebLogic Server in chunks of 8192 bytes.

Note that turning FileCaching OFF limits failover. If the WebLogic Server primary server goes down while processing the request, the POST data already sent to the primary cannot be repeated to the secondary.

Finally, regardless of how FileCaching is set, if the size of the POST data is 2048 bytes or less the plug-in will read the data into memory and use it if needed during failover to repeat to the secondary.

Category	Value
Syntax	FileCaching ON | OFF
Example	FileCaching OFF
Default	ON

E.7.9 Idempotent

Specifies whether or not plug-ins fail over.

• When set to ON and if the servers do not respond within WLIOTimeoutSecs, the plug-ins fail over if the method is idempotent.

• The plug-ins also fail over if Idempotent is set to ON and the servers respond with an error such as READ_ERROR_FROM_SERVER.

• If set to OFF the plug-ins do not fail over. If you are using the Apache HTTP Server you can set this parameter differently for different URLs or MIME types.

Category	Value
Syntax	Idempotent ON | OFF
Example	Idempotent OFF
Default	ON

E.7.10 KeepAliveEnabled

Enables pooling of connections between the plug-in and WebLogic Server.

If you are using Apache prefork mpm, Apache web server might crash. Turn KeepAliveEnabled to OFF when using prefork mpm or use worker mpm in Apache.

Category	Value
Syntax	KeepAliveEnabled ON(TRUE) | OFF(FALSE)
Example	KeepAliveEnabled OFF
Default	ON(TRUE)

E.7.11 KeepAliveSecs

Specifies how long to maintain an inactive connection between the plug-in and WebLogic Server. Once the time set here has elapsed, the connection is closed. You must set KeepAliveEnabled to true (ON when using the Apache HTTP Server) for this parameter to be effective.

The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the server Mbean with the KeepAliveSecs attribute.

Category	Value
Syntax	KeepAliveSecs secs
Example	KeepAliveSecs 120
Default	20

E.7.12 MatchExpression

Specifies the filename pattern to use when proxying. This directive is entered inside of an IfModule block. For example, if you wanted to proxy by MIME type, you would use MatchExpression as shown here:

<IfModule weblogic_module>
 MatchExpression *.jsp
 WebLogicHost=myHost|paramName=value
</IfModule>

Or, if you wanted to proxy by path, you would use MatchExpression like this:

<IfModule weblogic_module>
 MatchExpression /weblogic
 WebLogicHost=myHost|paramName=value
</IfModule>

You can define a new parameter for MatchExpression by using the following syntax:

MatchExpression *.jsp PathPrepend=/test PathTrim=/foo

Category	Value
Syntax	MatchExpression expression
Example	MatchExpression /weblogic
Default	none

E.7.13 MaxPostSize

Maximum allowable size of POST data, in bytes. If the content-length exceeds MaxPostSize, the plug-in returns an error message. If set to -1, the size of POST data is not checked. This is useful for preventing denial-of-service attacks that attempt to overload the server with POST data.

Category	Value
Syntax	MaxPostSize nn
Example	MaxPostSize 64
Default	-1

E.7.14 MaxSkipTime

If a WebLogic Server listed in either the WebLogicCluster parameter or a dynamic cluster list returned from WebLogic Server fails, the failed server is marked as ”bad” and the plug-in attempts to connect to the next server in the list.

MaxSkipTime sets the amount of time after which the plug-in will retry the server marked as ”bad.” The plug-in attempts to connect to a new server in the list each time a unique request is received (that is, a request without a cookie).

Category	Value
Syntax	MaxSkipTime sec
Example	MaxSkipTime 120
Default	10

E.7.15 PathPrepend

Specifies the path that the plug-in prepends to the {PATH} portion of the original URL, after PathTrim is trimmed and before the request is forwarded to WebLogic Server.Note that if you need to append File Name, use DefaultFileName parameter instead of PathPrepend.

Category	Value
Syntax	PathPrepend [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING]
Example	PathPrepend http://myHost:1234/myPath/myfile;
Default	null

E.7.16 PathTrim

PathTrim specifies the string trimmed by the plug-in from the {PATH}/{FILENAME} portion of the original URL, before the request is forwarded to WebLogic Server. For example, if this URL:

http://myWeb.server.com/weblogic/foo

is passed to the plug-in for parsing and if PathTrim has been set to strip off /weblogic before handing the URL to WebLogic Server, the URL forwarded to WebLogic Server is:

http://myWeb.server.com:7001/foo

Note that if you are newly converting an existing third-party server to proxy requests to WebLogic Server using the plug-in, you will need to change application paths to /foo to include weblogic/foo. You can use PathTrim and PathPrepend in combination to change this path.

Category	Value
Syntax	PathTrim [PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}
Example	PathTrim http://myWeb.server.com/weblogic/foo
Default	null

E.7.17 QueryFromRequest

When set to ON, specifies that the Apache HTTP Server use

(request_rec *)r->the_ request

to pass the query string to WebLogic Server. (For more information, see the Apache documentation.) This behavior is useful when a Netscape version 4.x browser makes requests that contain spaces in the query string.

When set to OFF, the Apache HTTP Server uses (request_rec *)r->args to pass the query string to WebLogic Server.

Category	Value
Syntax	QueryFromRequest ON | OFF
Example	QueryFromRequest ON
Default	OFF

E.7.18 WebLogicCluster

Specifies the list of WebLogic Servers that can be used for load balancing. The server or cluster list is a list of host:port entries. If a mixed set of clusters and single servers is specified, the dynamic list returned for this parameter will return only the clustered servers. This derivative is required to proxy a list of clustered back-end servers or to perform load balancing among non-clustered managed server instances.

If you are using SSL between the plug-in and WebLogic Server, set the port number to the SSL listen port and set the SecureProxy parameter to ON.

The plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and plug-in maintain. WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members.

You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to OFF.

The plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that originally created the cookie.

Category	Value
Syntax	The syntax for specifying the value of this parameter varies depending on the web server for which you are configuring the plug-in, as described in Using Web Server 1.1 Plug-Ins with Oracle WebLogic Server. For more information, see the following: Chapter 2, "Configuring the mod_wl_ohs Plug-In for Oracle HTTP Server" Chapter 3, "Installing and Configuring the Oracle iPlanet Web Server Plug-In" Chapter 4, "Installing and Configuring the Apache HTTP Server Plug-In" Chapter 5, "Installing and Configuring the Microsoft IIS Plug-In"
Example	WebLogicCluster w1s1.com:7001,w1s2.com:7001,w1s3.com:7001
Default	none

E.7.19 WebLogicHost

Specifies the WebLogic Server host (or virtual host name as defined in WebLogic Server) to which HTTP requests should be forwarded. If you are using a WebLogic cluster, use the WebLogicCluster parameter instead of WebLogicHost. This directive is required when proxying to a single WebLogic Server.

Category	Value
Syntax	WebLogicHost hostname
Example	WebLogicHost myHost
Default	none

E.7.20 WebLogicPort

Specifies the port at which the WebLogic Server host is listening for connection requests from the plug-in (or from other servers). This directive is required when proxying to a single WebLogic Server.

• If you are using SSL between the plug-in and WebLogic Server, set this parameter to the SSL listen port and set the SecureProxy parameter to ON.

• If you are using a WebLogic Cluster, use the WebLogicCluster parameter instead of WebLogicPort.

Category	Value
Syntax	WebLogicPort portNo
Example	WebLogicPort 1234
Default	none

E.7.21 WebLogicSSLVersion

Note:

Because of security concerns, the SSLv3 security protocol is disabled out-of-the-box in the Oracle HTTP Server 11.1.1.9 release. The SSLv2 and SSLV3 protocols are no longer supported by Oracle HTTP Server.

If you are upgrading from an earlier release of Oracle HTTP Server, the SSLv3 and/or SSLv2 security protocol might be a part of your configuration. Oracle strongly recommends that you disable any SSLv3 or SSLv2 configuration from Oracle HTTP Server. See Section 8.9, "Disable SSLv2 and SSLv3 Security Protocols."

Selects the SSL protocol version to use for communication between the plug-in and the WebLogic Server. The following values are accepted:

• TLSv1

• TLSv1.1

• TLSv1.2

You can specify multiple values as a space-delimited list.

The SSL protocol version chosen is used for all the connections from the plug-in to WebLogic Server. Hence define this parameter at the global scope.

In the current release, you can specify the value for this directive using OpenSSL format. The nzos* formats have been deprecated and their use should be avoided.

Protocol Name	OpenSSL Format	nzos* Format (Deprecated)
TLS version 1.0	TLSv1	nzos_Version_1_0
TLS version 1.1	TLSv1.1	nzos_Version_1_1
TLS version 1.2	TLSv1.2	nzos_Version_1_2

Category	Value
Syntax	WebLogicSSLVersion versionNumber
Example	WebLogicSSLVersion TLSv1 TLSv1.1
Default	If not configured, the best protocol supported by both the plug-in and WebLogic Server is used.

E.7.22 WLCookieName

Note:

WLCookieName replaces CookieName, which is deprecated.

If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, then you must change this parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Category	Value
Syntax	WLCookieName cookieName
Example	WLCookieName
Default	JSESSIONID

E.7.23 WLDNSRefreshInterval

If defined in the proxy configuration, this directive specifies the interval duration, in seconds, at which WebLogic Server refreshes DNS name to IP mapping for a server. This can be used in the event that a WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same. In this case, at the specified refresh interval the bi-directional DNS-to-IP mapping will be updated.

Category	Value
Syntax	WLDNSRefreshInterval nn
Example	WLDNSRefreshInterval 10
Default	Lookup once, during startup

E.7.24 WLExcludePathOrMimeType

This parameter allows you exclude certain requests from proxying. This parameter can be defined locally at the Location tag level as well as globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters.

Category	Value
Syntax	WLExcludePathOrMimeType value
Example	WLExcludePathOrMimeType
Default	none

E.7.25 WLForwardUriUnparsed

When set to ON, the WLS plug-in will forward the original URI from the client to WebLogic Server. When set to OFF (default), the URI sent to WebLogic Server is subject to modification by mod_rewrite or other web server plug-in modules.

Category	Value
Syntax	WLForwardUriUnparsed ON | OFF
Example	WLForwardUriUnparsed ON
Default	OFF

E.7.26 WLIOTimeoutSecs

Note:

WLIOTimeoutSecs is the new name for HungServerRecoverSecs.

Defines the amount of time the plug-in waits for a response to a request from WebLogic Server. The plug-in waits for WLIOTimeoutSecs for the server to respond and then declares that server dead, and fails over to the next server. The value should be set to a very large value. If the value is less than the time the servlets take to process, then you may see unexpected results.

• Minimum value: 10

• Maximum value: Unlimited

Category	Value
Syntax	WLIOTimeoutSecs nn
Example	WLIOTimeoutSecs 128
Default	300

E.7.27 WLLocalIP

Defines the IP address (on the plug-in's system) to which to bind when the plug-in connects to a WebLogic Server instance running on a multihomed machine.

If WLLocalIP is not set, the TCP/IP stack will choose the source IP address.

Category	Value
Syntax	WLLocalIP ipAddress
Example	WLLocalIP 1001.1111.1234.4567
Default	none

E.7.28 WLLogFile

Specifies path and file name for the log file that is generated when the Debug parameter is set to ON. You must create this directory before setting this parameter.

Category	Value
Syntax	WLLogFile path/to/file.ext
Example	WLLogFile http://myFolder/mySubfolder/myLogfile.log
Default

E.7.29 WLProxyPassThrough

If you have a chained proxy setup, where a proxy plug-in or HttpClusterServlet is running behind some other proxy or load balancer, you must explicitly enable the WLProxyPassThrough parameter. This parameter allows the header to be passed through the chain of proxies.

Category	Value
Syntax	WLProxyPassThrough ON | OFF
Example	WLProxyPassThrough ON
Default	OFF

E.7.30 WLProxySSL

Specifies whether or not to maintain SSL communication between the plug-in and WebLogic Server when the following conditions exist:

• An HTTP client request specifies the HTTPS protocol.

• The request is passed through one or more proxy servers (including the WebLogic Server proxy plug-ins).

• The connection between the plug-in and WebLogic Server uses the HTTP protocol.

• When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.

Category	Value
Syntax	WLProxySSL ON | OFF
Example	WLProxySSL ON
Default	OFF

E.7.31 WLProxySSLPassThrough

If a load balancer or other software deployed in front of the web server and plug-in is the SSL termination point, and that product sets the WL-Proxy-SSL request header to true or false based on whether or not the client connected to it over SSL, set WLProxySSLPassThrough to ON so that the use of SSL is passed on to the Oracle WebLogic Server.

If the SSL termination point is in the web server where the plug-in operates, or the load balancer does not set WL-Proxy-SSL, set WLProxySSLPassThrough to OFF (default).

Category	Value
Syntax	WLProxySSLPassThrough ON | OFF
Example	WLProxySSLPassThrough ON
Default	OFF

E.7.32 WLServerInitiatedFailover

Specifies whether or not a 503 error response from Oracle WebLogic Server triggers a failover to another server. Normally, the plug-in will attempt to failover to another server when a 503 error response is received. When WLServerInitiatedFailover is set to OFF, the 503 error response will be returned to the client immediately.

Category	Value
Syntax	WLServerInitiatedFailover ON | OFF
Example	WLServerInitiatedFailover OFF
Default	ON

E.7.33 WLSocketTimeoutSecs

Sets the timeout, in seconds, for the socket while connecting. See ConnectTimeoutSecs and ConnectRetrySecs for additional details. This value must be greater than 0

Category	Value
Syntax	WLSocketTimeoutSecs nn
Example	WLSocketTimeoutSecs 10
Default	2

E.7.34 WLSRequest

This is an alternative to the SetHandler weblogic-handler mechanism of identifying requests to be forwarded to Oracle WebLogic Server. For example,

<Location /weblogic>
 WLSRequest ON
 PathTrim /weblogic
</Location>

The use of WLSRequest ON instead of SetHandler weblogic-handler has the following advantages:

• Lower web server processing overhead in general

• Resolves substantial performance degradation when the web server DocumentRoot is on a slow file system

• Resolves 403 errors for URIs which cannot be mapped to the file system due to the file system length restrictions

Category	Value
Syntax	WLSRequest ON | OFF
Example	WLSRequest ON
Default	OFF

E.7.35 WLTempDir

Specifies:

• The directory where a wlproxy.log will be created. If the location fails, the Plug-In resorts to creating the log file under C:/temp in Windows and /tmp in all Unix platforms.

• The location of the _wl_proxy directory for POST data files.

When both WLTempDir and WLLogFile are set, WLLogFile will override as to the location of wlproxy.log. WLTempDir will still determine the location of _wl_proxy directory.

Category	Value
Syntax	WLTempDir dirNamee
Example	WLTempDir MyLogDir
Default	See the Debug parameter .